communication

The reason I don't agree is because disclosure, regardless of how it's managed, prompts bad faith companies and even open source projects with self-promoted claims to security and quality to come clean or be proven to have no clothes. The bombast, if you will, actually started with grandiose claims by software companies and open source projects first (ex. OpenBSD's over-the-top security claims that have been walked back several times over the years).

Obviously, there's collateral damage to projects like cURL that try their best to Do The Right Thing without a lot of hoopla. What needs to change isn't necessarily the "tone", but the gating of quality reports, because some of these supposedly overblown inquiry results are not at all overblown, rather they're more like the preliminary steps that initiate repairs to the software code from organizations that would rather just sit on bad code indefinitely (*ahem* Oracle) till they take a PR/sales hit, or prompt people to move away to better maintained products or projects. This has been going on for years, and I doubt it's going to change. The question isn't what's "professional" or not, it's how open source projects deal with the not-really-new-but-definitely-evolving disclosure landscape.

The tone of professionalism is very much an opinion and one of culture. Some people don't like this, some don't like that. Others heartily approve something else entirely. As a case in point, many Americans often find The Register's tone as unnecessarily sarcastic, abrasive, and unprofessional, while many Brits see it as normal professional journalistic bombast.

These discussions are worthy to hold whether the problems were already known, or they're new. This industry has a serious problem with the New Kids ignoring the Old And Busted then tripping over stuff that was a known problem or "new" technique that's actually 20+ years old. GPG.fail was a mix of old and new, and they both needed to be (re)visited, and where necessary, pointed out that something that was a bad idea in 1996 but there was no way to change it then probably should have been removed by 2025 since a viable, more secure, replacement has been in place for what 10-15 of those years? Sure give people time to change over, but that shouldn't take more than 3-4 years tops, even if it's an enterprise (who will sit on broken tech indefinitely till they're forced to move by hook or crook).